Facebook Allows Strangers to Find You with Phone Number You Provided for 2-Factor Authorization

We’ve been told for years that two-factor authorization is a way to help keep us safe, as it makes it harder for hackers to get their hands on our information. But Facebook doesn’t seem to notice the technical oxymoron of allowing others to find you with the phone number you provided them to set up two-factor authorization. Worse yet, they won’t even let you opt out of it.

Facebook Allows Phone Number to Be Used

If you’re feeling extra-safe on Facebook after you secured your account with two-factor authorization with the use of your phone number, you may want to read this. Perhaps, however, you don’t really want to read this, but you really should read this.

You probably even feel extra safe that you chose not to have your phone number on your profile, right? That would be silly to include it, as it would allow people you don’t want to associate with to be able to find you.

Facebook, however, seems to feel that none of that matters. Facebook already admitted last year it was using those phone numbers to help target users with ads. But in addition to that, a default setting for accounts allows anyone, whether they are a fellow user or not, to look for your profile by using that phone number. This is something Jeremy Burge alerted everyone to on Twitter.

You can see from the screenshot above that I never even enabled two-factor authorization. Not because I wasn’t trying to be more secure or because I had some premonition of what the phone number would be used for – I just never did it.

Yet, Facebook still has my phone number. This is because I joined Facebook years ago, before we knew as much as we do about keeping our data safe and the potential evils of allowing our information on Facebook. I had provided my phone number at that point for business purposes but later took it off my profile. However, they still have it.

And what I found in the screenshot above is that people can use that number to look me up. By default, this is set to “Everyone.” That was surprising and a little scary. I quickly changed it to “Friends.” I have the option to remove the phone number from my account altogether but am choosing not to as long as I know now that only friends can use it to find me. Those who use two-factor authorization do not have the same option to remove it.

If you’d like to check on that setting for your account, go to “Privacy Settings -> How Can Look You Up Using the Phone Number You Provided.” It’s not an option, but should be, to have no one find you, but the best option here is obviously “Friends.”

Facebook Phone Number Fallout

Alex Stamos, Facebook’s former chief security officer who is now an adjunct professor at Stanford University, remarked, “Facebook can’t credibly require two-factor for high-risk accounts without segmenting that from search and ads.”

Security expert Zeynep Tufekci tweeted, “Using security to further weaken privacy is a lousy move – especially since phone numbers can be hijacked to weaken security. Putting people at risk.”

What are your thoughts regarding this hidden default setting of Facebook? Did you know Facebook was using your two-factor authorization phone number to allow strangers to look you up? Comment below and let us know your thoughts on it.